Server get flooded by Avast Secure DNS

Question

My server is getting flooded by Avast Secure DNS. This was generating high I/O while writing lots of entries in daemon.log and syslog files. Thank to fail2ban, I was able to ban those IP and get the server back to normal.

I come here to ask for some details about this since I'm Linux learner. The server is running on Debian Wheezy.

Here is a sample of daemon.log file :

Jan 27 20:47:43 server named[xxxx]: client 37.110.213.97#51810: query (cache) '2.SecureDNS.AVASt.CoM/TXT/IN' denied
Jan 27 20:47:49 server named[xxxx]: client 154.0.26.150#38513: query (cache) '2.SECUredNs.Avast.cOM/TXT/IN' denied
Jan 27 20:47:50 server named[xxxx]: client 154.0.26.150#33704: query (cache) '2.sEcurEDns.avasT.COm/TXT/IN' denied
Jan 27 20:47:54 server named[xxxx]: client 154.0.26.150#50798: query (cache) '2.sEcUreDns.avasT.com/TXT/IN' denied
Jan 27 20:48:06 server named[xxxx]: client 201.79.137.74#54727: query (cache) '2.SeCuREDnS.AvAST.CoM/TXT/IN' denied
Jan 27 20:48:07 server named[xxxx]: client 201.79.137.74#54735: query (cache) '2.secuReDNs.avaSt.cOM/TXT/IN' denied
Jan 27 20:48:11 server named[xxxx]: client 201.79.100.41#54754: query (cache) '2.SeCUrEDNS.AVAsT.COM/TXT/IN' denied
Jan 27 20:48:12 server named[xxxx]: client 77.147.247.52#62948: query (cache) '2.SecUREdns.AvAsT.COM/TXT/IN' denied

• Is that what they call DDos attack ?
• Why this come from Avast Secure DNS ?
• What's the best solution to handle this ?
• When will this stop ?
• How can I know where this attack come from ?

Answer 1

It's unlikely that this is coming from avast secure DNS. More likely, you're running an open DNS resolver and an attacker with a botnet is trying to DDoS Avast SecureDNS by using open resolvers to direct traffic to Avast.